The particular alias I'm looking to "class up" into a Python script happens to be one that makes use of the cUrl -o (output to file) option. I suppose I could as easily turn it into a BASH function, but someone advised me that I could avoid the quirks and pitfalls of the different versions and "flavors" of BASH by taking my ideas and making them Python scripts.
Coincident with this idea is another notion I had to make a feature of legacy Mac OS (officially known as "OS 9" or "Classic") pertaining to downloads platform-independent: writing the URL to some part of the file visible from one's file navigator {Konqueror, Dolphin, Nautilus, Finder or Explorer}. I know that only a scant few file types support this kind of thing using some other command-line tools (exiv2, wrjpgcom, etc). Which is perfectly fine with me as I only use this alias to download single-page image files such as JPEGs anyways.
I reckon I might as well take full advantage of the power of Python by having the script pass the string which is the source URL of the download (entered by the user and used first by cUrl) to something like exiv2 which could write it to the Comment block, EXIF User Comment block, and (taking as a first and worst example) Windows XP's File Description field. Starting small is sometimes a good way to start.
Hope someone has advice or suggestions.
BZT
The relevant section from the Bash manual states:
Aliases allow a string to be
substituted for a word when it is used
as the first word of a simple command.
So, there should be nothing preventing you from doing e.g.
$ alias geturl="python /some/cool/script.py"
Then you could use it like any other shell command:
$ geturl http://example.com/excitingstuff.jpg
And this would simply call your Python program.
I thought Pycurl might be the answer. Ahh Daniel Sternberg and his innocent presumptions that everybody knows what he does. I asked on the list whether or not pycurl had a "curl -o" analogue, and then asked 'If so: How would one go about coding it/them in a Python script?' His reply was the following:
"curl.setopt(pycurl.WRITEDATA, fp)
possibly combined with:
curl.setopt(pycurl.WRITEFUNCITON, callback) "
...along with Sourceforge links to two revisions of retriever.py. I can barely recall where easy_install put the one I've got; how am I supposed to compare them?
It's pretty apparent this gentleman never had a helpdesk or phone tech support job in the Western Hemisphere, where you have to assume the 'customer' just learned how to use their comb yesterday and be prepared to walk them through everything and anything. One-liners (or three-liners with abstruse links as chasers) don't do it for me.
BZT
Related
Imagine you gave a Python exam to a large group of 500 students (or C, or Java, or other language, possibly anything).
You want to check the result of each code that your students submitted.
Of course, you won't have time to manually read all of them, and you can't execute the files because you can't trust your students!
It's most likely that at least one student has written a very evil program that will read your entire home folder, steal it by sending it over the network to his private server, then will delete and burn your laptop to ashes.
I want to know what is safe and what is not safe when dealing with such cases.
I assume (and I really hope) that there is no risk in opening such an evil program evil.py in a basic text editor, like GNU Nano or Gedit. Same for any basic command line program like file evil.py etc.
I hope there is no risk in opening it in a "smart" editor that performs clever "intellisense-like" code exploration (I'm thinking of VSCode, but Emacs and Vim and many other IDEs do the same)... but maybe I'm wrong... Can someone please confirm or explain?
But what about using command line linters, such as pylint for Python, or tools like mega-linter for other languages... So here's my quesiton: is there any risk in executing such linters on a very evil input file?
For the thought experiment, I have to assume that the evil hacker student knows exactly what linters I'll use to evaluate her/his code, and could design the evil.py code to attack this linter!
I would also be very happy if the answer is not specific to reading/linting Python (and possibly, safely executing the code from a local sandbox) but also to compiled language such as Java, C or OCaml.
if you are not sure, use linux and set all files as not executable :)
vscode is not excel... a "hack" i could imagine would be to open a project with a recommended extension (in .vscode folder) , and that vscode extension would contain whatever could make your computer a bitcoin miner 🤣 But except that it should be ok
Mega-Linter runs within a docker image, and it just read files, not runs them, so I think it's pretty safe :)
Bonus: wouldn't it be fun to run Mega-Linter with just the copy-paste detector on the parent folder of all your projects , to check who copied what to who ? 😇
So, I recently made a Python program that I want to send to someone with them being able to execute it, but not read the code I have typed in it. Any ideas how to do it?
BTW, I want it to be irreversible
In short, here are my Parameters:
Should remain a Python file
Can't be reversed
Code should not be readable
Should still have the ability to be run
The criteria you've posted are inconsistent.
Python is an interpreted language. The entity running the language (i.e. Python interpreter) is reading your code and executing it, line by line. If you wrap it up to send to someone, their Python interpreter must have read permissions on the file, whether it's source code or "compiled" Python (which is easily decompiled into equivalent source code).
If we take a wider interpretation of "send to someone", there may be a business solution that serves your needs. You would provide your functionality, rather than the code: deploy it as a service from some available server: your own, or rented space. To do this, you instead provide an interface to your functionality.
If this fulfills your needs, you now have your next research topic.
I am coding Python3 in Vim and would like to enable autocompletion.
I must use different computers without internet access. Every computer is running Linux with Vim preinstalled.
I dont want to have something to install, I just want the simplest way to enable python3 completion (even if it is not the best completion), just something easy to enable from scratch on a new Linux computer.
Many thanks
Unfortunately Vim, by default doesn't do what you want, you are pretty much limited to the Ctrl-P style, which is better than it seems once you get used to it.
However i also often find myself working on machines that are not allowed to access the internet or have other files placed on them and When i find myself in this situation and i am using an unfamiliar language i sometimes use Vim's dictionary completion: http://vim.wikia.com/wiki/VimTip91
To populate this dictionary i cat / trim / filter the man pages for the language to get a variety of keywords. I ram these into a filetype specific dictionary: au FileType * execute 'setlocal dict+=~/.vim/words/'.&filetype.'.txt'
Obviously this isn't the greatest solution and it is a bit heavy handed but it does provide a certain degree of "What is that function called" type stuff.
If you have compiled vim with +python3, you can try omnifunc.
Add following to your ~/.vimrc:
au FileType python setl ofu=python3complete#Complete
Then in insert mode, just type CtrlX + CtrlO.
See :help omnifunc.
by default, Ctrl-P in insert mode do an autocompletion with all the words already present in the file you're editing
I am about to get a bunch of python scripts from an untrusted source.
I'd like to be sure that no part of the code can hurt my system, meaning:
(1) the code is not allowed to import ANY MODULE
(2) the code is not allowed to read or write any data, connect to the network etc
(the purpose of each script is to loop through a list, compute some data from input given to it and return the computed value)
before I execute such code, I'd like to have a script 'examine' it and make sure that there's nothing dangerous there that could hurt my system.
I thought of using the following approach: check that the word 'import' is not used (so we are guaranteed that no modules are imported)
yet, it would still be possible for the user (if desired) to write code to read/write files etc (say, using open).
Then here comes the question:
(1) where can I get a 'global' list of python methods (like open)?
(2) Is there some code that I could add to each script that is sent to me (at the top) that would make some 'global' methods invalid for that script (for example, any use of the keyword open would lead to an exception)?
I know that there are some solutions of python sandboxing. but please try to answer this question as I feel this is the more relevant approach for my needs.
EDIT: suppose that I make sure that no import is in the file, and that no possible hurtful methods (such as open, eval, etc) are in it. can I conclude that the file is SAFE? (can you think of any other 'dangerous' ways that built-in methods can be run?)
This point hasn't been made yet, and should be:
You are not going to be able to secure arbitrary Python code.
A VM is the way to go unless you want security issues up the wazoo.
You can still obfuscate import without using eval:
s = '__imp'
s += 'ort__'
f = globals()['__builtins__'].__dict__[s]
** BOOM **
Built-in functions.
Keywords.
Note that you'll need to do things like look for both "file" and "open", as both can open files.
Also, as others have noted, this isn't 100% certain to stop someone determined to insert malacious code.
An approach that should work better than string matching us to use module ast, parse the python code, do your whitelist filtering on the tree (e.g. allow only basic operations), then compile and run the tree.
See this nice example by Andrew Dalke on manipulating ASTs.
built in functions/keywords:
eval
exec
__import__
open
file
input
execfile
print can be dangerous if you have one of those dumb shells that execute code on seeing certain output
stdin
__builtins__
globals() and locals() must be blocked otherwise they can be used to bypass your rules
There's probably tons of others that I didn't think about.
Unfortunately, crap like this is possible...
object().__reduce__()[0].__globals__["__builtins__"]["eval"]("open('/tmp/l0l0l0l0l0l0l','w').write('pwnd')")
So it turns out keywords, import restrictions, and in-scope by default symbols alone are not enough to cover, you need to verify the entire graph...
Use a Virtual Machine instead of running it on a system that you are concerned about.
Without a sandboxed environment, it is impossible to prevent a Python file from doing harm to your system aside from not running it.
It is easy to create a Cryptominer, delete/encrypt/overwrite files, run shell commands, and do general harm to your system.
If you are on Linux, you should be able to use docker to sandbox your code.
For more information, see this GitHub issue: https://github.com/raxod502/python-in-a-box/issues/2.
I did come across this on GitHub, so something like it could be used, but that has a lot of limits.
Another approach would be to create another Python file which parses the original one, removes the bad code, and runs the file. However, that would still be hit-and-miss.
I've gotten omnicompletion with Pysmell to work before, but I can't seem to do it again.
I tried following some steps online, but most, if not all, of them are to vague and assume too much that you know what you are doing to some extent.
Can someone post a full, step-by-step tutorial on how to get code completion working properly, for complete Vim newbies (for dummies?)?
There's also Ctrl+n in insert mode which will autocomplete based on the words it has seen in any of the open buffers (even in other tabs).
You may try Pydiction (Excerpt below)
Description Pydiction allows you to
Tab-complete Python code in Vim,
including: standard, custom and
third-party modules and packages. Plus
keywords, built-ins, and string
literals.
Pyflakes has a vim plugin that does this pretty awesomely. Unlike Pydiction, you don't need to build a dictionary beforehand (so if you're bouncing between different virtualenvs it's a bit less hassle.) I haven't been using it long but it seems very slick.
Try hitting Ctrl-p while typing mid-word. Ctrl-p inserts the most recent word that starts with the prefix you're typing and Ctrl-n inserts the next match. If you have several possibilities, you can hit ctrl-p more than once to substitute each candidate in order.